Cyber threats to energy security, as experienced by Saudi Arabia

Cyber assault is emerging as the principal concern for energy security. One oil major told me a few days ago: “We’re constantly under cyber attack.” But there is still a sense of denial hanging over the issue.

So while no less a figure than US Defense Secretary Leon Panetta can describe the al-Shamoon virus which assaulted Saudi Aramco and Qatar’s Rasgas in August as constituting probably the most destructive attack the business sector has yet sustained, Saudi Aramco itself has sought to downplay the impact.

What seems to have happened is that as many as 30 copies of the al-Shamoon virus were inserted into Saudi Aramco’s computer system on the same day, August 15, 2012. Some 30,000 company computers were infected by the virus, a worm which alters the hard drive on a computer in such a way that makes it impossible to recover the hard drive, either to regain lost data or to assume that the drive is safe.

Saudi Aramco has sought to play down the impact of the attack, with President and CEO Khalid al- Falih saying–in a note on the company’s Facebook website on August 26–-that “we addressed the threat immediately, and our precautionary procedures, which have been in place to counter such threats, and our multiple protective systems, have helped to mitigate these deplorable cyber threats from spiralling.”

Falih specifically stated that “our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever.”

Yet damage was more widespread than the Aramco CEO indicated. Both drilling and production data were lost, including data provided by such drilling companies as Santa Fe, Ocean and Schlumberger. Drilling produces enormous volumes of data, which is then transferred to a Saudi Aramco data base center and filtered, with other data discarded. The filtered data is supposed to be manually backed up twice a day but, perhaps because it was Ramadan, there were no backups carried out for either drilling or production data. It’s the filtered data that’s important…and it’s the filtered data that was lost.

The virus hit the company’s management offices throughout the Kingdom. It also hit its offices in Houston and The Hague and, probably, its offices in Asia. It also hit the state-of-the art Exploration and Petroleum Engineering Center – Advanced Research Center in Dhahran, which is responsible for the company’s upstream oil and gas technology development. That’s where more than 250 researchers, technologists and strategists are working on what Saudi Aramco terms “inventive and original solutions to the company’ s upstream technical challenges,” including the ability to test these solutions in practice in some of the world’s biggest oilfields.

In Qatar, a second attack hit that country’s biggest LNG operation, the Rasgas joint venture between Qatar Petroleum and ExxonMobil, on August 27. It also also appears to have hit Maersk Oil, which produces 300,000 b/d at Qatar’s offshore Al Shaheen field.

Leon Panetta, addressing business leaders in New York on October 11, described the scale and speed of the al-Shamoon attack as unprecedented. “More than 30,000 computers that it infected were rendered useless, and had to be replaced,” he said. “Imagine the impact an attack like this would have on your company,” he added.

The question of who was responsible remains officially unanswered, although there has been a lot of finger pointing at Iran. For the Saudis, one problem is the nature of how the virus was inserted into Saudi Aramco’s system. The insertion of the al-Shamoon virus required someone who had physical access to the computers. This obviously raises concerns about both staff loyalty and the implementation of the company’s cyber security measures.

The Al-Shamoon attack was not the only major cyber attack of recent years, but it does appear to have been the worst. Other companies targetted for attack include Chevron, which was hit in 2010 by Stuxnet virus, a virus whose original target was Iran’s nuclear facilities. Baker Hughes also has been attacked, with a virus seeking to download its data, including data on operations carried out for clients and other sensitive client-related information. Baker Hughes staff were told to unplug their laptops as soon as the attack was spotted, but it took the best part of a month to bring all the company’s systems back on line.

For companies confronted by such assaults, a natural response is the immediate beefing up of their own cyber security measures. But they also must work out just what to tell their customers. In the longer run they will not only need to face up to damage sustained in terms of loss of data, production or operations, but also in terms of reputation.

All blog comments are moderated before being published.

Comments

John Roberts at November 27, 2012 10:21 pm

Dear W. Satterthwaite,

That’s a very good question, and it already includes the answer. The answer comes down to a single word. Trust. You have to trust whoever you call in. But there are companies whose reputations are built on trust (dare I say it, Platts is one) and if they lose that reputation, they lose a heck of a lot of business. I would argue that’s particularly true when it comes to provision of cyber security.

I was until recently chief technologist at a small company that developed software that easily prevents this kind of attack (Stuxnet, etc., are no match). The company went belly-up because the solution was too radical, too different from anti-virus and all the other stuff that supposedly protects but lets just about everything in. We applied for patents (still pending), and have a working system (that still needs some tweaks, but software, by definition, is never complete). Executables, scripts, whatever, can’t execute. Truly remarkable cyber security, but too radical. Doesn’t count that it works; it doesn’t fit expectations. Too bad. It’s really easy to prevent cyber attacks against individual computers, enterprises, industrial control systems, and so on.